John P. Collins, Director- Information Governance & Office 365 Consulting, DTI
As CIO and leader of the information technology function, you have a lot on your plate: cyber security, budgets, head count, data privacy, cloud initiatives—the list is endless. The issues and challenges you face impact your organization’s ability to deliver its goods or services and fulfill its mission. Consequently, it is no surprise that an unwelcome distraction for many CIOs is when the legal department calls and requests assistance with conducting discovery—or what is commonly referred to as “eDiscovery.”
eDiscovery is a distraction for CIOs in large because it’s not a profit generating or mission-critical activity. The CIO and their team are typically asked to drop everything and focus for a few hours or days on helping legal comply with seemingly insane discovery requests (such as “all documents for a 10 year period referencing a particular product”). What if IT is in the middle of a critical roll-out or upgrade? The ad-hoc and seemingly random timing of eDiscovery can play havoc with IT scheduling and deployment plans.
There is a way for CIOs to minimize this disruption while helping legal reduce the costs and risks of eDiscovery—and it does not involve massive capital investments or complex technology. It entails creating—in collaboration with the legal department—an ESI (“Electronically Stored Information”) data map. An ESI data map is an inventory of applications, platforms, and systems (“applications”) in use or in existence across an organization. It captures key facts and characteristics about those applications, memorializing them in a narrative format that is “lawyer” friendly.
Following are several hallmarks of the types of ESI data maps that reduce disruption to IT while providing significant value to legal:
• Organizes applications into “tiers” or “buckets”. The more prominent the application from an eDiscovery perspective, the higher tier or bucket. The volume and depth of information captured and presented is based on an application’s tier—the higher the tier, the more in depth the treatment.
• Captures key facts of both a current and historical nature, such as:
• When was the application first deployed? Was data migrated from the predecessor application (if there is one?)
• What is the history of purging, deleting, and (possibly) archiving data in the application?
• Is the application’s data backed up? If yes, how long are backups retained?
• What business processes does the application support? What is the business purpose of the application?
The ad-hoc and seemingly random timing of eDiscovery can play havoc with IT scheduling and deployment plans
• What type of application is it from a technology perspective? Client/Server? Mainframe? Software as a Service (SaaS)? Is it a database driven system (ERP) or primarily unstructured (file server).
• Who are the subject matter experts for the business processes the application supports?
• Who are the subject matter experts from a technology perspective?
Gathering the above information and presenting it in a format useful to lawyers is an art and a science—and requires a blend of technical, legal, and records management expertise. The process can employ a combination of interviews, targeted surveys, white-boarding, and data analysis. No indexing software is needed as the ESI data map’s purpose is informing high-level strategic decisions regarding preservation and collection of ESI. Several versions of the ESI data map can be prepared, each providing a level of detail appropriate to the need. For example:
• Executive Summary: a broad summary of the IT landscape that describes who is responsible for what, and provides just enough information to allow the lawyers to determine at first blush, whether a particular application should be in scope.
• Tier 1 Report: at the other end of the spectrum from the Executive Summary, the Tier 1 Report provides in-depth information about the current and historical aspects of a single application. While it includes the core facts required to address discovery (deletion policies, backup retention, age/scope of data, etc.), it may also include contextual background about the nature of the application, i.e., what an ERP system or data warehouse are.
• Visual ESI Data Map: this is a graphical depiction of the application’s organized tiers. The visual ESI data map can be used by the lawyers in discovery conferences and hearings to help educate the judge and opponents about the complexity of their client’s IT environment.
In most organizations, the impetus, funding, and sponsorship for an ESI data mapping project comes from legal. However, in every ESI data mapping project, IT is a primary participant in the process, which means the CIO must be on board. Ideally, the CIO is not just on board, but an active executive sponsor.
As CIO, you may view the ESI data map initiative as, itself, being disruptive or duplicative of another project already in the works. Before arriving at that conclusion, consider the following:
• The ESI data mapping project is disruptive, but it’s disruptive on your terms. Unlike court-driven discovery (which has its own, largely unpredictable timeline), an ESI data mapping project runs on your schedule, with interviews and information gathering activities occurring around IT staff’s availability.
• Existing projects will not provide the deliverables yielded in an ESI data mapping project. This is not to say you can’t leverage other initiatives, projects, and inventories—you can, and should. Information gathered for IT driven projects can provide upwards of 50 percent of the information needed to build the ESI data map. But don’t expect IT or business driven projects to supply all the information lawyers need.
The next time legal asks for resources to comply with a discovery request, by all means help (what choice do you really have?), but take the next step and ask them if they would like to take a long-term and proactive approach by collaborating with you and your team to create an ESI data map. If they take you up on your offer, you will reduce disruptions to your team while helping reduce the costs, risks, and burdens associated with eDiscovery—or perhaps even ensure a more favorable outcome. Creating an ESI data map is a win-win-win: IT and the CIO win; the legal department wins; and, the organization wins.